PayPal, Lenovo Launch New Campaign to Kill the Password

Why It Matters

Although nearly universal, passwords are an imperfect way to protect online accounts. Technology that makes them less critical could improve online security.

A consortium including PayPal and Lenovo, the world’s second-largest PC manufacturer, has launched a set of technology standards that could reduce reliance on passwords, potentially making online accounts more secure.

Under the standards put forward by the FIDO Alliance, the device a person is using to log in to an account would play a more central role in authentication. That would make it impossible to compromise accounts by stealing passwords, as hackers did in order to break into Twitter this month and LinkedIn last year.

“Customers credentials are [today] easily retrievable by criminals by techniques such as password guessing, credential theft at websites or phishing,” says Michael Barrett, chief information security officer at PayPal and a cofounder of the FIDO Alliance. “FIDO is significant because it helps to move us into a world where credentials are much more bound to the device and it’s much harder for the criminal to abscond with them.”

A company using the technical specifications being developed by the FIDO Alliance might get proof of a person’s device by checking the security chip that is installed in many PCs, or prompting a user with the right hardware to use a fingerprint reader. Barrett says that offering an open standard any company can adopt or sell will drive widespread adoption of the new technique, diminishing the password’s role in securing personal accounts.

Companies that opt to use the new approach will have the option of requiring both a password and a secondary authentication method tied to a device, or dispensing with the password altogether. “We finally can stop relying on these things that have been troubling us since the mainframe era,” says Phil Dunkelberger, previously CEO of PGP Corporation and now CEO of Nok Nok Labs. His new startup, which has $15 million in funding, has developed software that enables companies to secure their accounts using the FIDO standards.

One goal of the FIDO Alliance is to make better use of security hardware in existing devices that is little used today. Most desktop and laptop computers (and some tablets) already contain a piece of security hardware, known as the TPM chip, that can be used to verify who is using a particular device (today it’s used mostly to enable disk encryption). Dunkelberger says his company’s software can make similar use of the security chip included with the near-field communications hardware in some phones, which is used for making wireless payments. ARM and Intel both have plans to make technology similar to TPM standard in phone and tablets.

Requiring a person to offer both a password and a physically linked secondary proof is an approach known as “two-factor authentication.” Although widely advocated by security experts, it is relatively uncommon. Banks and large companies are the most enthusiastic adopters of two-factor authentication. Although some consumer companies offer it, Google, Dropbox and Facebook included, only a fraction of their users have adopted it.

For a company to adopt the FIDO approach, it must put the correct software on its servers and persuade customers to install new software on the phones and computers they use to access their accounts. The technology on the user’s end could be included in a mobile app or offered as a browser plug-in.

The FIDO specification is also designed to check a person’s credentials more safely than is usual today. Normally, when someone logs in to, say, an e-mail account from his or her phone, an encrypted version of their password is transmitted to a remote server to be compared against a database of passwords. Every time that happens, the password can potentially be intercepted and decrypted. The central password database can also be compromised, which is what happened in the case of Twitter. Passwords stolen that way can be used to take control of a person’s account.

In the FIDO method, no password of identifying information is sent out; instead, it is processed by software on the phone or computer. This software calculates cryptographic strings to be sent to a login server. The strings can be used to confirm that person supplied the correct credentials, but not to reveal the login information. At the same time, the user’s device receives a cryptographic string allowing it to verify that the server it is communicating with is the real one, not an impostor.

As a result the FIDO approach removes the incentive to steal passwords en masse from Web companies, says Ramesh Kesanupalli, a cofounder of the FIDO Alliance: “You have to go by single units, so there’s no scalability.” To compromise an account protected this way, he says, “I have to get your password and also steal your device.”

One potential downside of having the new specification adopted by many companies, however, is that it creates a large potential target for hackers, points out Michael Versace, a research director at the analysis firm IDC, who is familiar with the FIDO Alliance’s plans. “There would be a strong incentive for attackers to find vulnerabilities in such a large system,” he says. “A successful attack would cause systemic identity failures in the network they support.”

For the consortium to make a major impact, it will need to tempt many more companies to sign up, adds Versace. “FIDO’s chance of gaining traction initially is tied to PayPal,” he says, adding that so far the group has talked mostly about its technical approach, not about how it will make it appealing to companies in business and financial terms.

That could be particularly difficult when it comes to the largest Web companies, such as Google and Facebook, which may have their own plans, says Versace. Google, for instance, is known to be testing alternatives to the password based on USB keys (see “Google’s Alternative to the Password”).